protected String getPasswordHistoryHumanReadable(List<PasswordHistoryEntryType> historyEntriesType) { return historyEntriesType.stream() .map(historyEntry -> { try { return getHumanReadablePassword(historyEntry.getValue()); } catch (EncryptionException e) { throw new SystemException(e.getMessage(), e); } }) .collect(Collectors.joining(", ")); }
public String decrypt(ProtectedStringType protectedString) { try { return protector.decryptString(protectedString); } catch (EncryptionException e) { throw new SystemException(e.getMessage(), e); } }
private boolean passwordEquals(ProtectedStringType newPasswordPs, ProtectedStringType currentPassword) throws SchemaException { if (currentPassword == null) { return newPasswordPs == null; } try { return protector.compare(newPasswordPs, currentPassword); } catch (EncryptionException e) { throw new SystemException("Failed to compare " + shortDesc + ": " + e.getMessage(), e); } } }
public ProtectedStringType encrypt(String string) { try { return protector.encryptString(string); } catch (EncryptionException e) { throw new SystemException(e.getMessage(), e); } }
private String getClearValue(ProtectedStringType protectedString) { if (protectedString == null) { return null; } String passwordStr = protectedString.getClearValue(); if (passwordStr == null && protectedString.isEncrypted()) { try { passwordStr = protector.decryptString(protectedString); } catch (EncryptionException e) { throw new SystemException("Failed to decrypt " + shortDesc + ": " + e.getMessage(), e); } } return passwordStr; }
public static void encrypt(Collection<ObjectDelta<? extends ObjectType>> deltas, Protector protector, ModelExecuteOptions options, OperationResult result) { // Encrypt values even before we log anything. We want to avoid showing unencrypted values in the logfiles if (!ModelExecuteOptions.isNoCrypt(options)) { for(ObjectDelta<? extends ObjectType> delta: deltas) { try { CryptoUtil.encryptValues(protector, delta); } catch (EncryptionException e) { result.recordFatalError(e); throw new SystemException(e.getMessage(), e); } } } }
private static void encryptProtectedStringType(Protector protector, ProtectedStringType ps, String propName) throws EncryptionException { if (ps == null) { return; } if (ps.isHashed()) { return; } if (ps.getClearValue() != null) { try { protector.encrypt(ps); } catch (EncryptionException e) { throw new EncryptionException("Failed to encrypt value for field " + propName + ": " + e.getMessage(), e); } } }
@Override public void refreshShadow(PrismObject<ShadowType> shadow, ProvisioningOperationOptions options, Task task, OperationResult parentResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, SecurityViolationException, ExpressionEvaluationException { Validate.notNull(shadow, "Shadow for refresh must not be null."); OperationResult result = parentResult.createSubresult(OPERATION_REFRESH_SHADOW); LOGGER.debug("Refreshing shadow {}", shadow); try { shadowCache.refreshShadow(shadow, task, result); } catch (CommunicationException | SchemaException | ObjectNotFoundException | ConfigurationException | ExpressionEvaluationException | RuntimeException | Error e) { ProvisioningUtil.recordFatalError(LOGGER, result, "Couldn't refresh shadow: " + e.getClass().getSimpleName() + ": "+ e.getMessage(), e); throw e; } catch (EncryptionException e) { ProvisioningUtil.recordFatalError(LOGGER, result, null, e); throw new SystemException(e.getMessage(), e); } result.computeStatus(); result.cleanupResult(); LOGGER.debug("Finished refreshing shadow {}: {}", shadow, result); }
private String getPassword(ConnectionEnvironment connEnv, @NotNull MidPointPrincipal principal, ProtectedStringType protectedString) { String decryptedPassword; if (protectedString.getEncryptedDataType() != null) { try { decryptedPassword = protector.decryptString(protectedString); } catch (EncryptionException e) { recordAuthenticationFailure(principal, connEnv, "error decrypting password: "+e.getMessage()); throw new AuthenticationServiceException("web.security.provider.unavailable", e); } } else { LOGGER.warn("Authenticating user based on clear value. Please check objects, " + "this should not happen. Protected string should be encrypted."); decryptedPassword = protectedString.getClearValue(); } return decryptedPassword; }
protected String getDecryptedValue(ConnectionEnvironment connEnv, @NotNull MidPointPrincipal principal, ProtectedStringType protectedString) { String decryptedPassword; if (protectedString.getEncryptedDataType() != null) { try { decryptedPassword = protector.decryptString(protectedString); } catch (EncryptionException e) { recordAuthenticationFailure(principal, connEnv, "error decrypting password: "+e.getMessage()); throw new AuthenticationServiceException("web.security.provider.unavailable", e); } } else { LOGGER.warn("Authenticating user based on clear value. Please check objects, " + "this should not happen. Protected string should be encrypted."); decryptedPassword = protectedString.getClearValue(); } return decryptedPassword; }
public static GuardedString toGuardedString(ProtectedStringType ps, String propertyName, Protector protector) { if (ps == null || ps.isHashed()) { return null; } if (!ps.isEncrypted()) { if (ps.getClearValue() == null) { return null; } LOGGER.warn("Using cleartext value for {}", propertyName); return new GuardedString(ps.getClearValue().toCharArray()); } try { return new GuardedString(protector.decryptString(ps).toCharArray()); } catch (EncryptionException e) { LOGGER.error("Unable to decrypt value of element {}: {}-{}", new Object[] { propertyName, e.getMessage(), e }); throw new SystemException("Unable to decrypt value of element " + propertyName + ": " + e.getMessage(), e); } catch (RuntimeException e) { // The ConnId will mask encryption exceptions into RuntimeException throw new SystemException("Unable to encrypt value of element " + propertyName + ": " + e.getMessage(), e); } }
public static GuardedString toGuardedString(ProtectedStringType ps, Protector protector, String propertyName) { if (ps == null) { return null; } if (!protector.isEncrypted(ps)) { if (ps.getClearValue() == null) { return null; } // LOGGER.warn("Using cleartext value for {}", propertyName); return new GuardedString(ps.getClearValue().toCharArray()); } try { return new GuardedString(protector.decryptString(ps).toCharArray()); } catch (EncryptionException e) { // LOGGER.error("Unable to decrypt value of element {}: {}", // new Object[] { propertyName, e.getMessage(), e }); throw new SystemException("Unable to decrypt value of element " + propertyName + ": " + e.getMessage(), e); } }
private String getClearValue(ProtectedStringType protectedString) throws SchemaException, PolicyViolationException { try { if (protectedString.isEncrypted()) { return protector.decryptString(protectedString); } else if (protectedString.getClearValue() != null) { return protector.decryptString(protectedString); } else if (protectedString.isHashed()) { throw new SchemaException("Cannot validate value of hashed password"); } } catch (EncryptionException e) { throw new PolicyViolationException(e.getMessage(), e); } return null; }
protected List<PrismObject> repoAddObjectsFromFile(File file, OperationResult parentResult) throws SchemaException, ObjectAlreadyExistsException, IOException { OperationResult result = parentResult.createSubresult(AbstractIntegrationTest.class.getName() + ".addObjectsFromFile"); result.addParam("file", file.getPath()); LOGGER.trace("addObjectsFromFile: {}", file); List<PrismObject> objects = (List) prismContext.parserFor(file).parseObjects(); for (PrismObject object: objects) { try { repoAddObject(object, result); } catch (ObjectAlreadyExistsException e) { throw new ObjectAlreadyExistsException(e.getMessage()+" while adding "+object+" from file "+file, e); } catch (SchemaException e) { new SchemaException(e.getMessage()+" while adding "+object+" from file "+file, e); } catch (EncryptionException e) { new EncryptionException(e.getMessage()+" while adding "+object+" from file "+file, e); } } result.recordSuccess(); return objects; }
protected <T extends ObjectType> List<PrismObject<T>> repoAddObjectsFromFile(File file, Class<T> type, OperationResult parentResult) throws SchemaException, ObjectAlreadyExistsException, IOException { OperationResult result = parentResult.createSubresult(AbstractIntegrationTest.class.getName() + ".addObjectsFromFile"); result.addParam("file", file.getPath()); LOGGER.trace("addObjectsFromFile: {}", file); List<PrismObject<T>> objects = (List) prismContext.parserFor(file).parseObjects(); for (PrismObject<T> object: objects) { try { repoAddObject(object, result); } catch (ObjectAlreadyExistsException e) { throw new ObjectAlreadyExistsException(e.getMessage()+" while adding "+object+" from file "+file, e); } catch (SchemaException e) { new SchemaException(e.getMessage()+" while adding "+object+" from file "+file, e); } catch (EncryptionException e) { new EncryptionException(e.getMessage()+" while adding "+object+" from file "+file, e); } } result.recordSuccess(); return objects; }
/** * Returns ICF connector info manager that manages local connectors. The * manager will be created if it does not exist yet. * * @return ICF connector info manager that manages local connectors */ private ConnectorInfoManager getRemoteConnectorInfoManager(ConnectorHostType hostType) { String hostname = hostType.getHostname(); int port = Integer.parseInt(hostType.getPort()); GuardedString key; try { key = new GuardedString(protector.decryptString(hostType.getSharedSecret()).toCharArray()); } catch (EncryptionException e) { throw new SystemException("Shared secret decryption error: "+e.getMessage(),e); } Integer timeout = hostType.getTimeout(); if (timeout == null) { timeout = 0; } boolean useSSL = false; if (hostType.isProtectConnection() != null) { useSSL = hostType.isProtectConnection(); } List<TrustManager> trustManagers = protector.getTrustManagers(); LOGGER.trace("Creating RemoteFrameworkConnectionInfo: hostname={}, port={}, key={}, useSSL={}, trustManagers={}, timeout={}", new Object[] {hostname, port, key, useSSL, trustManagers, timeout}); RemoteFrameworkConnectionInfo remoteFramewrorkInfo = new RemoteFrameworkConnectionInfo(hostname, port, key, useSSL, trustManagers, timeout); return connectorInfoManagerFactory.getRemoteManager(remoteFramewrorkInfo); }
@Override public void notifyEvent(ResourceEventDescription eventDescription, Task task, OperationResult parentResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ObjectNotFoundException, GenericConnectorException, ObjectAlreadyExistsException, ExpressionEvaluationException { Validate.notNull(eventDescription, "Event description must not be null."); Validate.notNull(task, "Task must not be null."); Validate.notNull(parentResult, "Operation result must not be null"); LOGGER.trace("Received event notification with the description: {}", eventDescription.debugDump()); if (eventDescription.getCurrentShadow() == null && eventDescription.getDelta() == null){ throw new IllegalStateException("Neither current shadow, nor delta specified. It is required to have at least one of them specified."); } applyDefinitions(eventDescription, parentResult); PrismObject<ShadowType> shadow = null; shadow = eventDescription.getShadow(); ProvisioningContext ctx = provisioningContextFactory.create(shadow, task, parentResult); ctx.assertDefinition(); Collection<ResourceAttribute<?>> identifiers = ShadowUtil.getPrimaryIdentifiers(shadow); Change change = new Change(identifiers, eventDescription.getCurrentShadow(), eventDescription.getOldShadow(), eventDescription.getDelta()); ObjectClassComplexTypeDefinition objectClassDefinition = ShadowUtil.getObjectClassDefinition(shadow); change.setObjectClassDefinition(objectClassDefinition); LOGGER.trace("Start to precess change: {}", change.toString()); try { shadowCache.processChange(ctx, change, null, parentResult); } catch (EncryptionException e) { // TODO: better handling throw new SystemException(e.getMessage(), e); } LOGGER.trace("Change after processing {} . Start synchronizing.", change.toString()); shadowCache.processSynchronization(ctx, change, parentResult); }
private void prepareProtectedStringForStorage(ProtectedStringType ps, CredentialsStorageTypeType storageType) throws SchemaException { try { switch (storageType) { case ENCRYPTION: if (ps.isEncrypted()) { break; } if (ps.isHashed()) { throw new SchemaException("Cannot store hashed value in an encrypted form"); } protector.encrypt(ps); break; case HASHING: if (ps.isHashed()) { break; } protector.hash(ps); break; case NONE: throw new SchemaException("Cannot store value on NONE storage form"); default: throw new SchemaException("Unknown storage type: "+storageType); } } catch (EncryptionException e) { throw new SystemException(e.getMessage(), e); } }
private static void reencryptProtectedStringType(ProtectedStringType ps, String propName, Holder<Integer> modCountHolder, Protector protector) { if (ps == null) { // nothing to do here } else if (ps.isHashed()) { // nothing to do here } else if (ps.getClearValue() != null) { try { protector.encrypt(ps); increment(modCountHolder); } catch (EncryptionException e) { throw new TunnelException(new EncryptionException("Failed to encrypt value for field " + propName + ": " + e.getMessage(), e)); } } else if (ps.getEncryptedDataType() != null) { try { if (!protector.isEncryptedByCurrentKey(ps.getEncryptedDataType())) { ProtectedStringType reencrypted = protector.encryptString(protector.decryptString(ps)); ps.setEncryptedData(reencrypted.getEncryptedDataType()); increment(modCountHolder); } } catch (EncryptionException e) { throw new TunnelException(new EncryptionException("Failed to check/reencrypt value for field " + propName + ": " + e.getMessage(), e)); } } else { // no clear nor encrypted value } }
@Override public boolean checkPassword(String userOid, ProtectedStringType password, Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException { OperationResult result = parentResult.createMinorSubresult(CHECK_PASSWORD); UserType userType; try { userType = objectResolver.getObjectSimple(UserType.class, userOid, null, task, result); } catch (ObjectNotFoundException e) { result.recordFatalError(e); throw e; } if (userType.getCredentials() == null || userType.getCredentials().getPassword() == null || userType.getCredentials().getPassword().getValue() == null) { return password == null; } ProtectedStringType currentPassword = userType.getCredentials().getPassword().getValue(); boolean cmp; try { cmp = protector.compare(password, currentPassword); } catch (EncryptionException e) { result.recordFatalError(e); throw new SystemException(e.getMessage(),e); } result.recordSuccess(); return cmp; }